Personal Data Processing Policy

Suntem consultanţi în domeniul financiar - contabil și fiscal, iar cifrele reprezintă pentru noi mai mult decât simple instrumente de lucru. Contabilitate, salarizare, taxe, audit.

PERSONAL DATA PROCESSING POLICY OF THE CROWE FINEXPERT BOSCOLO GROUP

Rev: 3.0 Valid as of 06.03.2023


1.    Premises

2.    Identity of the controller

3.    Categories of persons and our activities

4.    Quality of processed data

5.    Collection purpose

6.    Period in which personal data shall be processed:

7.    Personal data recipients:

7.1  Third Parties involved in processing personal data

8.    Security measures:

9.    Data transfer

10.  Data subject’s rights regarding the processing of personal data


1.  Premises


We hereby inform you of the personal data which the companies of the Crowe Finexpert Boscolo Group collects and processes. In the process of collecting and processing the provided personal data, the company acts as a personal data controller, and it has the legal obligation of providing information regarding the data which it collects, the purpose and means of processing personal data and the rights which you, as a data subject, have on personal data, according to the law.


The purpose of this document is to detail the manner in which Crowe Finexpert Boscolo companies collect, use and treat your data, by considering data subject categories


For the Crowe Finexpert Boscolo Group, data confidentiality is important, and the private nature of information and its security are ensured.


The notion of personal data includes any information that leads or may lead to your identification as a natural person when you interact with one of the companies of the group.


According to art. 4 section 1 of Regulation no. 679/2016, "personal data" means “any information related to an identified or identifiable individual ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, especially in reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or several elements specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity”.


The Crowe Finexpert-Boscolo Group makes sure that for each personal data processing it has identified processing legal grounds according to Regulation 6792016, that this information is internally reviewed on a permanent basis, and that it makes all efforts in order to correctly and transparently inform the data subjects to which the processed data refers.


In case of data processing whose legal grounds are based on the data subject’s consent, Crowe Finexpert-Boscolo provides adequate technical means for you to express, in a free and informed manner, your consent for each data set, for which you express your processing approval.  


2.  Identity of the controller


The Crowe Finexpert-Boscolo Group is composed of the following personal entities:


FINEXPERT - BOSCOLO CONSULTING SRL, registered office at address No. 5, Popa Petre Street, part 2, Section 5, District 2, Bucharest, Trade Register registration number J40/7111/2003, Sole Registration Number RO15462709;


FINEXPERT - BOSCOLO TAX & CORPORATE SRL, registered office at address No. 5, Popa Petre Street, 4th floor, part 1, District 2, Bucharest, Trade Register registration no. J40/8368/2015, Sole Registration Number RO34753380;


FINEXPERT - BOSCOLO AUDIT AND ADVISORY SRL, registered office at address No. 5, Popa Petre Street, unit A, 5th floor, office 501, District 2, Bucharest, Trade Register registration no. J40/4007/1995, Sole Registration Number RO7475015;


FINEXPERT - BOSCOLO ZUCCHETTI PAYROLL SRL, registered office at address No. 5, Popa Petre Street, part 2, 3rd floor, section 7, District 2, Bucharest, Trade Register registration no. J40/4049/2006CUI RO18468447;


The companies shall be collectively hereinafter referred to as “Controller”, defined as a personal data controller according to European Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).


You may contact us online at e-mail address dpo@crowe.ro or by mail to the aforementioned addresses.


We are not obligated to have a data protection officer; therefore, any question regarding the use of your personal data must be sent by using the aforementioned contact data.    


3.  Categories of persons and our activities


According to art. 13 of Regulation no. 679/2016, we hereby inform you that the Crowe Finexpert Boscolo group of companies, in virtue of the legal grounds indicated in this document, depending on each activity it carries out, processes personal data of several categories of data subjects. These categories of data subjects are  


3.1 Persons associated to customers when we act as a controller


Data collection: Our policy is to collect data for explicit and specific purposes, and we always ask our customers to share data which is strictly relevant for these purposes. The collected data is specific to the services we provide to the customers of the Crowe Finexpert Boscolo group, with which, due to the specificity of the contract, purpose and means of processing, we are in a controller - controller relationship, according to the provisions of GDPR. Data is collected by written information requests. Personal data is contained by financial and accounting documents, contracts, documents regarding the salary process, documents regarding the salary process, documents regarding the legal operation of a company, etc. which belong to our customers and are necessary for achieving the scope of the contract.


Data use: We use the collected data in order to manage commercial contracts, exchange documents and information related to contractual obligations and permanently develop the services, conditions and facilities which we provide to our customers.

The data may be used and shared with other entities, in order to recover the commercial debts of our customers.

We use the data in order to ensure the security of the data, including personal data, in order to discover, investigate and resolve any threat thereto.

We use the processed data in order to comply with our legal and professional obligations, according to the specificity of our commercial activities.


Processing legal grounds: The compliance with our obligations on fiscal matters, such as recording and proving the services we provide, the services and goods we purchase, or regarding other laws or professional responsibilities with which we must comply, classifies personal data processing under Art. 6 par. 1 letter c. of Regulation 679/2016, legal obligation.  

In our activities of managing customers, ensuring data security and developing our business, we process data based on our legitimate interests, which we internally document in order to ascertain the impact on the data subject’s fundamental interests or rights and freedoms.


Data retention period:  We keep personal data as long as it is necessary for the processing purpose, by considering the legal provisions. In the absence of legal, professional or contractual requirements, we keep personal data for a period of maximum 10 years.


Notification: Our commercial contracts contain provisions regarding the obligations of the parties regarding personal data which is processed within exchanges of documents and information related to the contract. The main responsibility for notifying the data subjects who have contractual relationships with our customers belongs to our customers, which must provide complete information in a transparent manner on sharing this data to other controllers. In case of data subjects who are not directly affiliated to customers, but whose personal data is processed as it is included in the documents that are necessary for achieving the objects of ongoing contracts, the Crowe Finexpert Boscolo group may be unable to send notifications directly to them. In these situations, data processing remains compliant with the provisions of GDPR according to Art. 14, paragraph 5, letter (b).  


3.2 Persons associated to customers when we act as a processor


Data collection: Our policy is to collect data for explicit and specific purposes, and we always ask our customers to share data which is strictly relevant for these purposes. The collected data is specific to the services we provide to the customers of the Crowe Finexpert Boscolo group, with which, due to the specificity of the contract, purpose and means of processing, we are in a controller - processor relationship, according to the provisions of GDPR. Data is collected by written information requests. Personal data is contained by financial and accounting documents, contracts, documents regarding the salary process, documents regarding the salary process, documents regarding the legal operation of a company, etc. which belong to our customers and are necessary for achieving the scope of the contract. We collect this data by complying with the contractual obligations derived from the contracts and the written processing instructions of our controller customers.


Data use: We use the collected data in order to exchange documents and information related to contractual obligations


Processing legal grounds: According to the provisions of GDPR, the processor does not establish the legal grounds for processing personal data. This is an attribution and obligation specific to controllers.


Data retention period:  We keep personal data as long as it is necessary for implementing contracts with controllers. After the cessation of the contracts, the personal data is returned to the controllers, upon their request. Within 30 days after the cessation of the contracts, the personal data is safely deleted, and the operator is notified in writing regarding this aspect. 


Notification: As processors, the companies of the Crowe Finexpert Boscolo group do not have attributions of obligations of notifying data subjects, unless they are expressly mandated by the controllers to send notifications on their behalf. The responsibility and obligation of notifying data subjects exclusively belongs to our controller customers.  


3.3 Persons associated to providers


Data collection: Our policy is to collect data for explicit and specific purposes, and we always ask our providers to share data which is strictly relevant for these purposes. The collected data is mainly contact data such as: name, position, e-mail, telephone, etc.


Data use: We use the collected data in order to manage commercial contracts, exchange documents and information related to contractual obligations and permanently develop the services, conditions and facilities which we provide to our customers. The data may be used and shared with other entities, in order to recover the commercial debts of our customers and providers. We use the data in order to ensure the security of the data, including personal data, in order to discover, investigate and resolve any threat thereto. We use the processed data in order to comply with our legal and professional obligations, according to the specificity of our commercial activities.


Processing legal grounds: The compliance with our obligations on fiscal matters, such as recording and proving the services we provide, the services and goods we purchase, or regarding other laws or professional responsibilities with which we must comply, classifies personal data processing under Art. 6 par. 1 letter c. of Regulation 679/2016, legal obligation.   In our activities of managing providers, ensuring data security and developing our business, we process data based on our legitimate interests, which we internally document in order to ascertain the impact on the data subject’s fundamental interests or rights and freedoms.


Data retention period:  We keep personal data as long as it is necessary for the processing purpose, by considering the legal provisions. In the absence of legal, professional or contractual requirements, we keep personal data for a period of maximum 10 years.


Notification: Our commercial contracts contain provisions regarding the obligations of the parties regarding personal data which is processed within exchanges of documents and information related to the contract. The main responsibility for notifying the data subjects who have contractual relationships with our providers belongs to our providers, which must provide complete information in a transparent manner on sharing this data to other controllers.  For the cases where the processing legal grounds are based on consent, the obligation is incurred directly, and you shall be informed before the start of the processing.  


3.4 Persons associated to potential customers and providers  


Data collection: The Crowe Finexpert Boscolo group collects contact data of potential customers and providers, by using information which they share publicly. The collected data is mainly contact data such as: name, position, e-mail, telephone, the moment when a meeting takes place, etc.


Data use: We use the collected data in order to send customized service offers to potential customers, in order to analyze market trends and sale opportunities, for surveying the market in order to purchase goods and services for the companies from our group.


Processing grounds: We process data based on our legitimate interests, which we internally document in order to ascertain the impact on the data subject’s fundamental interests or rights and freedoms. We process personal data based on our consent for certain promotion activities which we may organize in order to develop our business.


Data retention period: We keep personal data as long as it is necessary for the processing purpose, by considering the legal provisions. In the absence of legal, professional or contractual requirements, we keep personal data for a period of maximum 10 years.


Notification: According to the provisions of art. 14 par. 3, letter b of Regulation 679/2016 on notifying data subjects if personal data is not obtained from the data subject, the Crowe Finexpert Boscolo Group shall completely and transparently inform the respective persons when it contacts them.


3.5 Persons who are interested in notifications from the Crowe Finexpert Boscolo group


Data collection: Personal data is directly collected from data subjects, both remotely and by the information resources of the controller (website, social media). Data may be collected indirectly if you are an affiliate of a group customer, you have been appointed as the person who receives legislative notifications, and one of your professional attributions is to receive such notifications. As part of the continuous improvement of the services provided to its customers, the Crowe Finexpert Boscolo Group provides free of charge to its customers and to the public analyses and legislative notifications in areas of interest


Data use: The collected data is used in order to send periodical notifications to stakeholders, and especially to group customers. The collected data may be shared with other partner companies which ensure a technical framework and adequate solutions for this processing.


Processing grounds: The processing legal grounds is mainly based on freely expressed consent. If you are an affiliate of a customer, the processing legal grounds are either contractual ones, as part of professional obligations, or the freely expressed consent granted to your employer. In case of posts made by social networks, you granted your consent for processing your personal data when you created your user account on these platforms. Your interaction with our social media resources (comments, post reactions, tags) represents the processing consent you grant to us for the aforementioned purposes.


Data retention period: The data collected in order to send notifications regarding legislative modifications is kept for the entire period in which your consent remains valid. In case of online communications via social networks, data is kept and associated to the company as long as the person maintains his/her processing consent granted to the social network.


Notification: The data subject is adequately informed, in a detailed manner, when he/she grants his/her consent for this processing, and the consent is expressed by adequate technical means. The data subject may withdraw his/her consent for this processing at any time by using the “Unsubscribe” function. The Crowe Finexpert Boscolo group shall cease the processing, but shall keep information regarding the period in which the consent was valid.  


3.6 Persons who attend promotion events and social responsibility events


Data collection: Personal data is directly collected from data subjects, both remotely and by the information resources of the controller (website, social media) and by direct contact, during the implementation of promotion campaigns. The initially collected data is contact data of the person who wishes to participate in these campaigns, in order to obtain benefits such as goods, services or training, audio and video materials and photos. 


Data use: The collected data is used for organizing promotion events such as: communicating details of these events, obtaining consent for commercial communications for other future events.  The collected data may be used in drafting fiscal-accounting records, if necessary, and for antifraud purposes. It may be shared with other partner companies that participate in these events.


Processing grounds: The processing legal grounds is mainly based on freely expressed consent. The controller shall also use this data for legitimate purposes, in order to prevent fraud which may occur during these events. In case of implementing events by social networks, you granted your consent for processing your personal data when you created your user account on these platforms. Your interaction with our social media resources (comments, post reactions, tags) represents the processing consent you grant to us for the aforementioned purposes.


Data retention period: The data collected during promotion events is kept for maximum 2 months. The data of the data subjects that are part of the fiscal-accounting processing is kept for a period stipulated by legal provisions. The collected data for which the controller obtains the data subject’s consent in order for the latter to participate in future events or other communications related to marketing is kept as long as the data subject maintains his/her processing consent. In case of online events via social networks, data is kept and associated to the company as long as the person maintains his/her processing consent granted to the social network Audio and video materials and photos from promotion events shall be kept as long as the data subjects maintain their processing consent.


Notification: The data subject is adequately informed, in a detailed manner, during each event in which he/she participates, based on his/her freely expressed consent. If the participation materials do not allow for objective reasons the sending of adequate notifications, Crowe Finexpert Boscolo shall indicate the location where the notification may be consulted (displayed at the premises where the events take place, website, etc.)  


3.7 Persons who visit premises where we carry out our activities


Data collection:  Data is directly collected from visitors, and consist of images obtained by the audio-video surveillance devices installed in order to ensure the security of goods and persons. At certain premises where the Crowe Finexpert Boscolo group carries out its activities, visitors’ contact data is additionally collected, such as surname, first name, city, arrival and departure time.


Data use: The data is collected in order to ensure the security of the goods we use or hold, and in order to ensure the security of our employees, collaborators and other persons who are at these premises. Audio-video data is automatically and permanently overwritten by new recordings.  This data is consulted only if there is a need to investigate an incident. The data may be shared with the authorities which have attributions regarding public safety, upon their request.


Processing grounds: Personal data is processed based on our legitimate interests, which we internally document in order to ascertain the impact on the data subject’s fundamental interests or rights and freedoms.


Data retention period: Audio-video data is kept for 30 days. It is automatically deleted when this term expires. Visitors’ contact data may be kept for maximum 3 months.


Notification: The premises where we carry out our activities, which are protected by CCTV equipment, displays suggestive warning images regarding video surveillance. A detailed notice is also displayed in a place that is easily accessible to visitors   


3.8 Natural persons who benefit from our services


Data collection: Our policy is to collect data for explicit and specific purposes, and we always ask our customers to share data which is strictly relevant for these purposes. The collected data is used for the purpose of implementing the objectives of the contract with the respective person. It may refer to contact data, business activities, financial information, litigations, and other information that is necessary for complying with the obligations of the Crowe Finexpert Boscolo group according to a contract.


Data use: We use the collected data in order to manage commercial contracts, exchange documents and information related to contractual obligations, in order to implement the contractual provisions which exist between the parties, for adequately invoicing the provided services and in order to permanently develop the services, conditions and facilities which we provide to our customers. We use the data in order to ensure the security of the data, including personal data, in order to discover, investigate and resolve any threat thereto. We use the processed data in order to comply with our legal and professional obligations, according to the specificity of our commercial activities. The data may be used and shared with other entities, in order to recover receivables. 


Processing grounds: The main legal grounds of the processing are contractual grounds, according to art. 6 par. 1, letter b. The compliance with our obligations on fiscal matters, such as recording and proving the services we provide, the services and goods we purchase, or regarding other laws or professional responsibilities with which we must comply, classifies personal data processing under Art. 6 par. 1 letter c. of Regulation 679/2016, legal obligation.   We process data based on our legitimate interests, which we internally document in order to ascertain the impact on the data subject’s fundamental interests or rights and freedoms in case of receivable recovery activities, and data securitization.


Data retention period: We keep personal data as long as it is necessary for the processing purpose, by considering the legal provisions. In the absence of legal, professional or contractual requirements, we keep personal data for a period of maximum 10 years.


Notification: Our commercial contracts contain provisions regarding the obligations of the parties regarding personal data which is processed within exchanges of documents and information related to the contract. A notice which details all the data processing operations related to the relationship is annexed to each contract which the Crowe Finexpert Boscolo group concludes with natural persons or freelancers.  


3.9 Persons who apply for jobs


Data collection: We collect personal data as part of the recruitment process. We collect this data either directly, if you contact us, or indirectly, by a recruitment agency, a commercial partner that provides personnel leasing services, or by specialized online platforms (Ejobs, BestJobs, Linkedin)

The information that we process is contact data, family information, data regarding previous training and professional experience and any other data which you deem as relevant and disclose in the CV. Please do not disclose information classified in the category of special data, as defined in Art. 9 of Regulation 679/2016, such as race, ethnic origin, political orientations, religion, biometric information, information about health and sexual life.


Data use: We use this data in order to assess whether training and professional experience are adequate to our needs. With your approval, we may use this data in order to inform you regarding the availability of other jobs within the company in the future or to inform you about events where we are present with job offers. If you provide us with special information, we will take measures to selectively remove them from our system, as we cannot identify adequate processing legal grounds, according to the provisions of the regulation.


Processing grounds: We keep and process data in virtue of our legal obligation, for the provisions expressly indicated in the Labor Code, and also for contractual interests, by considering the process of selection and assessment prior to the employment process. If the recruitment does not take place, the data shall be kept by strictly asking for your consent for the aforementioned purposes. In case of collecting data from third parties, such as recruitment agencies, online platforms or providers of personnel leasing services, we process data in virtue of the consent you granted to them to share your data with other companies, for employment purposes.


Data retention period: If the recruitment is successfully completed, this data shall be kept and processed as part as the data we process according to the law in case of employees.  The information that belongs to persons who have not been hired shall be deleted within 12 months after the completion of the recruitment process. For persons who express their consent in order to receive additional information about the availability of a position within the company, we keep the data during the period in which your consent remains valid.


Notification: We shall completely and transparently inform you about the processing operations related to the recruitment process when we contact you. Also, you shall sign an informed consent form stating that we have your approval to keep the data for further processing.   


3.10 Persons affiliated to the Crowe Finexpert Boscolo Group


Data collection: We collect personal data as an employer. We collect this data directly. The information we process is contact data, family information, data about previous training and experience, financial information regarding revenues, taxes, some information about expenses, information about health and work capacity, information about accessing IT resources, information regarding activities carried out during the work hours, and other information that is relevant for the contractual relationship with the Crowe Finexpert Boscolo Group.


Data use: We use this data for the employer - employee to be implemented under the best conditions and according to the legal provisions.  We use this data in order to grant benefits, in order to adequately implement the commercial purposes of the group companies, in order to protect the resources that belong to us or which we manage. With your approval, we may use this data in order to promote the image of the company.


Processing grounds: We keep and process data in virtue of our legal obligation, for the provisions indicated in the legislation applied to the employer - employee relationship. We process personal data by using the legal grounds of the contractual relationship, considering the contractual provisions related to the position you hold / held in one of the group companies. We process data based on our legitimate interests, which we internally document in order to ascertain the impact on the data subject’s fundamental interests or rights and freedoms in case of receivable recovery activities, and data securitization. In case of all other processing operations, we use the legal grounds of freely expressed consent, which precedes the processing.


Data retention period: For data processed in order to comply with the legal obligations regarding the data subject’s employee status, we shall process the data according to the specific legal provisions.  For the data processed by complying with the contractual legal grounds, we shall keep the data for a period equal to the one provided by the applicable legislation regarding the financial-accounting obligations of the group companies. For the data processed in the legitimate interest of the companies, the data shall be processed for maximum 3 years. For the data processed in virtue of consent, we process the data as long as the data subject maintains his/her approval. 


Notification: Notices regarding personal data processing are part of the internal operational procedures of the group companies. Considering the large number of processing operations, notices shall be sent by using internal electronic means of communication. In certain well-defined situations, especially in situations regarding consent, documents may be adequately processed and kept on hardcopy. 


3.11 Users of the online resources of the company


The confidentiality policy of the website and of the social media resources we manage is detailed in a separate document, available online.


3.12 Other persons who contact us


Data collection: We collect data directly from persons who contact us for questions, complaints, comments or other aspects. In these situations, the persons control the data they disclose to us, and we shall use that data strictly in order to communicate and resolve the notified situation. The most frequently collected personal data is contact data and various other data specific for the respective situation. The data is collected by the contact forms we provide by online, telephone, e-mail or at our headquarters.


Data use: We use this data in order to reply to questions, complaints and generally in order to maintain adequate communication of all stakeholders or persons who are related to our activities. We may use this data for investigations regarding potential fraud involving our employees, customers or providers. 


Processing grounds: The processing legal grounds are represented by legitimate interest. In some situations, the processing grounds may be consent, and if we deem it necessary, we shall obtain the data subject’s approval before the personal data processing.  Data retention period: We shall keep personal data as long as we deem it necessary, by considering the purpose for which it is processed, but no longer than 5 years. 


Notification: We shall completely and transparently inform you about processing operations when you contact us. Also, you shall sign an informed consent form stating that we have your approval to keep the data for further processing.   


4.  Quality of processed data


The company permanently aims to comply with the principles regarding the quality of processed data, according to the provisions of art. 5 of GDPR. Such data is processed:

·       legally, fairly and transparently in relation to the data subject

·       collected for determined, explicit and legitimate purposes, and is not subsequently processed in a manner which would be incompatible with these purposes

·       adequate, relevant and limited to what is necessary to the purposes for which it is processed

·       stored in a form that allows the identification of the data subjects for a period that does not exceed the period that is necessary for fulfilling the purposes for which the data is processed

·       processed in a manner that ensures the adequate security of the personal data


5.  Collection purpose


We use your personal data only for legitimate business purposes. These include:

·       providing the requested information, and in order to reply to the correspondence received from you;

·       promoting the image of the company;

·       personnel recruitment

·       sending information about us, about our promotions and about our activities and events, and those of our partners;

·       managing customer relations. We may ask you for feedback in relation to our products and services, and send it to certain members of our personnel, in order to improve our offers.

·       personalised marketing: we may send you letters, e-mails or text messages, in order to provide you with a product or a service. You may unsubscribe from such offers. You are entitled to not consent or object to commercial or direct marketing activities, including the creation of a profile in order to carry out the activities from this type.

·       in order to carry out legal obligations and social responsibilities, according to Romanian and international laws.

Each personal data processing has a well-defined purpose which is indicated in the aforementioned categories.   


6.  Period in which personal data shall be processed:


The period during which the data is kept depends on the legal grounds of the processing and on the category of the data which is processed, and is indicated in the aforementioned processing categories. As a general principle, personal data shall be processed for a minimum period provided by the law.


In case of personal data whose legal grounds are constituted by consent, the processing may be carried out as long as the data subject maintains his/her approval, previously expressed in a free and informed manner, without affecting the legality of the processing carried out based on the consent, before it is withdrawn.


After the expiry of the indicated periods, personal data shall be anonymized or deleted according to our internal policies and procedures.


7.  Personal data recipients:


Personal data may be provided to legally authorized state authorities, upon their request, according to the law.


Personal data may also be communicated to other commercial entities (partners, group companies), as information.


7.1 Third Parties involved in processing personal data


The processing the aforementioned data may involve other entities that carry out, based on contracts, actions which would lead to the achievement of the aforementioned purposes.


By procedure, the selection of these providers also involves a standardized assessment phase, which assesses the preparation and compliance degree of the provider’s activities with the GDPR requirements.


These entities are persons mandated in virtue of GDPR, and operate your data by considering the legal provisions and the instructions of the Crowe Finexpert Boscolo Group. They must apply at least the same technical, organizational and legal measures as the operator, as well as other measures, specific to their activities. The list of mandated persons, generically indicated by categories of activities, may be consulted by a simple request, either to data protection officers or to the contact addresses indicated by the company. The Crowe Finexpert Boscolo Group is entitled to change these providers at any time during its activities.  


8.  Security measures:


The Crowe Finexpert Boscolo  Group and any entities that are mandated in order to process data shall establish technological, physical, administrative and procedural guarantees, according to the accepted standards in this field, in order to protect and ensure the confidentiality, integrity and accessibility of the processed personal data.


The Crowe Finexpert Boscolo Group and the entities mandated by the controller shall prevent the unauthorized use or access to personal data, and shall prevent personal data security breaches (security incidents), according to the instructions, policies and laws applicable to the controller.


The Crowe Finexpert Boscolo Group ensures that its employees and collaborators process this data by complying with the imposed confidentiality policy and all the internal procedures implemented regarding European regulation no. 679/2016.


9.  Data transfer


The Crowe Finexpert-Boscolo group does not transfer data outside the European Economic Area, for any of the aforementioned operations. If the use of technical solutions involves storing and processing data outside the European Economic Area, the controller shall previously consider and analyze the legal grounds of the data transfer. This informative note shall be adequately updated.   The safety measures regarding transfers remain valid no matter the situation.


10. Data subject’s rights regarding the processing of personal data


Regulation no. 679/2016 provides the following rights to persons whose data is processed:

·       right to access

·       right to rectify

·       right to delete data

·       right to restrict the processing

·       right to data portability

·       right to oppose

·       right to withdraw your consent at any time, without affecting the legality of the processing carried out based on your consent before withdrawing it;

·       right not to be subject to exclusively automated processing, including profiling, according to GDPR

·       right to submit a complaint with the personal data protection authority


For all the personal data processing operations carried out based on a legal obligation or under a contract, the refusal to provide this data may cause the termination of the contractual relations between the parties.


The processing carried out based on legitimate interests is necessary for the adequate operation of the internal processing of the controller and complies with the internal policies and procedures, which constitute obligations related to the employment contract concluded between the parties. All the processing operations carried out based on legitimate interests are detailed and approved by the managers of the organization, and ensure balance between the necessity of the processing and the data subject’s rights. For each processing operation carried out based on legitimate interests, you may ask to read the related documentation.


Depending on the legal grounds of the data processing and on the legal provisions imposed by the national or European legislation, some of the aforementioned rights are not applied.


For the processing whose legal grounds are based on your consent, you are entitled to request its cessation at any time, either by the technical means provided by media resources (by unsubscribing from our news flow, by cookie selection, etc.) or by contacting our company by the classic means provided by us (at e-mail address dpo@crowe.ro or at telephone number (+4) 0312285115 )


The Crowe Finexpert Boscolo Group does not have automated decision-taking processes. In all cases, requests may be submitted regarding the processed personal data, and the Crowe Finexpert Boscolo Group must reply within 30 days. This term may be longer, but its extension must be substantiated in writing by the controller.


Your rights may be exercised upon a request submitted to the data protection officers or to the contact addresses indicated by the company.


You are also entitled to file a complaint to the data protection supervision authority from Romania, if you deem that the processing of the personal data breaches the applicable laws.


The institution to which you may file complaints is:


Personal Data Protection Supervision National Authority

No. 28-30, G-ral Gheorghe Magheru Blvd., Bucharest

anspdcp@dataprotection.ro

www.dataprotection.ro  

+40.318.059.211

+40.318.059.212  

Captcha code
Or see contact page